search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP

Vulnerability Note VU#922681

Original Release Date: 2013-01-29 | Last Revised: 2014-07-30

Overview

The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet.

Description

Universal Plug and Play (UPnP) is a set of network protocols designed to support automatic discovery and service configuration. The Portable SDK for UPnP Devices (libupnp) is an open source project that has its roots in the Linux SDK for UPnP Devices and software from Intel (Intel Tools for UPnP Technologies and later Developer Tools for UPnP Technologies). Intel no longer maintains or supports these tools. Many different vendors produce UPnP-enabled devices that use libupnp.

As part of a large scale security research project, Rapid7 investigated internet-connected UPnP devices and found, among other security issues, multiple buffer overflow vulnerabilities in the libupnp implementation of the Simple Service Discovery Protocol (SSDP). Rapid7's report summarizes these vulnerabilities:

Portable SDK for UPnP Devices unique_service_name() Buffer Overflows

The libupnp library is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library.

This advisory does not address historic or current vulnerabilities in the HTTP and SOAP processing code of libupnp.

Affected Versions
Versions 1.2 (Intel SDK) and 1.2.1a - 1.8.0 (Portable SDK) are affected by at least three remotely exploitable buffer overflows in the unique_service_name() function, which is called to process incoming SSDP requests on UDP port 1900. Additionally, versions prior to 1.6.17 are vulnerable to additional issues in the same function. Please see Appendix A for a review of the vulnerable code by version.

Affected Vendors
Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected and a list of confirmed vendors and products is provided in Appendix B.

Additional details may be found in a paper and advisory from Rapid7.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service.

Solution

Apply an Update

libupnp 1.6.18 has been released to address these vulnerabilities.

Restrict Access

Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp.

Disable UPnP

Consider disabling UPnP on the device if it is not absolutely necessary.

Vendor Information

We attempted to notify more than 200 vendors identified by Rapid7 as running libupnp. The following list includes vendors who responded to our notification and vendors for whom we had existing security contact information.

922681
Expand all

Axis

Notified:  December 13, 2012 Updated:  April 05, 2013

Status

  Affected

Vendor Statement

Axis products included version 1.6.17 (or earlier) of the libupnp library. UPnP is enabled by default and is mainly used for discovery and NAT configuration. All releases prior to 5.50.2 are affected by this vulnerability except for the AXIS P135x-series where the correction was released in the latest 5.40.19.

Vendor Information

All Axis products running firmware verisons prior to 5.5x are potentially affected.

Axis included the latest version 1.6.18 of UPnP in order to address the vulnerability and it will be available in release 5.50.2 or later. For prior releases, users are recommended to turn off UPnP (Available under System Options/Network/UPnP)

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Affected

Vendor Statement

Cisco is investigating this issue for potential impact to Cisco and Linksys products.  Please consult our public documents on this issue here:
 
Cisco's Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
 
Linksys Knowledge Base article: http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Notified:  December 13, 2012 Updated:  January 31, 2013

Status

  Affected

Vendor Statement

January 30, 2013 UPDATE:

At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.

Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):

All Versions of Intel SDK
Version of Portable SDK prior to V. 1.6.18
Version of MiniUPnP SDK prior to V. 1.1

Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.

The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp

Vendor Information

Customers that want to disable UPnP in the affected products can do so by following these steps:

Current Solution for Affected Products by Disabling UPnP

Step 1: Log into device wed configuration - For routers default URL

http://dlinkrouter.local or http://192.168.0.1

Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
Step 4: Click Save Settings at the top to apply the settings.

*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.

Vendor References

http://www.dlink.com/us/en/technology/upnp

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Technology

Notified:  January 10, 2013 Updated:  January 29, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Huawei Technologies

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Affected

Vendor Statement

Cisco is investigating this issue for potential impact to Cisco and Linksys products.  Please consult our public documents on this issue here:
 
Cisco's Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
 
Linksys Knowledge Base article: http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv13-003.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens

Notified:  December 13, 2012 Updated:  January 30, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

From SSA-963338:

      Siemens OZW and OZS products use the UPnP network protocol for supporting specific localization functions. The 3rd party library libupnp [1] used for this protocol is vulnerable to multiple stack-based buffer overflows, as reported by CERT-CC [2]. These vulnerabilities allow DoS attacks and possibly remote code execution if the affected network ports are reachable by an attacker. Siemens plans to provide official permanent fixes with upcoming firmware updates and product replacements, and describes a temporary workaround below.
The full advisory can be found at the URL below.

Vendor References

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  December 13, 2012 Updated:  January 30, 2013

Status

  Affected

Vendor Statement

The following Sony products are affected by this vulnerability. Please access the links below for more details.

Multi Channel AV Receiver : STR-DA3700ES, STR-DA5700ES

[STR-DA5700ES]
in USA:
http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA5700ES&news_id=461


in Canada:
http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA5700ES&news_id=461

in Europe(UK):
http://www.sony.co.uk/support/en/product/STR-DA5700ES/news/STR_DA_HN

[STR-DA3700ES]
in USA:
http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA3700ES&news_id=461
in Canada:
http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA3700ES&news_id=461
in Europe(UK):
http://www.sony.co.uk/support/en/product/STR-DA3700ES/news/STR_DA_HN

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Synology

Notified:  December 13, 2012 Updated:  February 28, 2013

Status

  Affected

Vendor Statement

Synology products employ version 1.6.6 of the libupnp library for the following features: Video Station, Audio Station, Media Server, Surveillance Station, and EZ-Internet (UPnP router discovery).

All versions of DSM prior to DSM 4.2 are affected by this vulnerability. However, the vulnerability issue will be resolved in the official release of DSM 4.2, planned in March 2013.

Vendor Information

To avoid being affected by this vulnerability, users are recommended to do the following:

* Deploy firewall rules to block untrusted hosts from being able to access port 1900/UDP.
* Update to DSM 4.2 when it is officially released.

Users could also consider turning off UPnP features for the following applications:

* Video Station: Stop running Video Station.
* Audio Station: Turn off UPnP in the settings.
* Media Server: Stop running Media Server.
* EZ-Internet: Do not configure routers with EZ-Internet.
* Surveillance: Do not add IP cameras by searching IP cams on LAN in Surveillance Station.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ipitomy

Notified:  January 08, 2013 Updated:  February 01, 2013

Statement Date:   January 31, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

IPitomy Communications

Response to CERT VU#922681
1/31/2013

Summary

The Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a library originally developed as the Intel SDK for UPnP Devices. Multiple stack-based buffer overflow vulnerabilities have been found in the popular versions of this library used on many network vendor devices. For more information on this vulnerability please visit: http://www.kb.cert.org/vuls/id/922681

Affected Products

IPitomy has not confirmed the vulnerability yet and is still investigating. However we are listing below the only products that could be affected as well as the recommended steps to prevent any potential exploitation of these vulnerabilities.

IP1000 and IP1000v2

These products contain an affected version of the UPnP library. IPitomy recommends disabling UPnP permanently on these products.
This product defaults the UPnP setting to “on”.
Note we have scanned the IP1000 products from the WAN side and have determined that with the UPnP service on, the systems do not respond to UPnP requests from the WAN, therefore exploitation of these UPnP vulnerabilities would have to occur from the LAN side of the device.

IPR20

IPR20 contains router functionality. The UPnP service is disabled by default on these devices. IPitomy recommends that you ensure that UPnP service is disabled.
IPitomy has confirmed that if UPnP service is enabled the device does not respond to UPnP requests on the WAN interface, therefore exploitation of these UPnP vulnerabilities would have to occur through the LAN side of the device.
Properly installed (IPR20 WAN port connected to customer LAN), devices should not present these vulnerabilities.

Vendor References

http://www.ipitomy.com/index.php/mi-security-notice-ip001

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubiquiti Networks

Notified:  January 09, 2013 Updated:  January 29, 2013

Statement Date:   January 10, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Yamaha Corporation

Updated:  February 01, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

teldat

Updated:  February 05, 2013

Status

  Not Affected

Vendor Statement

-------------------------

| Teldat Security Bulletin |
-------------------------

Bulletin ID: 2013-02-04
Revision: 1.0

Title:
Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP
(US-CERT Vulnerability Note VU#922681)

Summary:
US-CERT Note VU#922681 describes that the "Portable SDK for UPnP Devices libupnp" library contains multiple buffer overflow vulnerabilities. Devices that use "libupnp" may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. A remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service.

Details can be found at http://www.kb.cert.org/vuls/id/922681 and https://community.rapid7.com/docs/DOC-2150

Comment:
The UPnP implemention used in the BOSS operating system is a proprietary solution developed by Teldat, and no Teldat product running the BOSS operating system is affected. Note that products sold under the former company name of "Funkwerk Enterprise Communications" - if running the BOSS operating system - are equally not affected by this vulnaerablity.

Copyright (c) 2013, Teldat GmbH. All Rights Reserved

----- End Security Bulletin 2013-02-04 -----

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.teldat.org/download/en/products/security_bulletin/security_bulletin_2013-02-05_advisory.txt

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3com Inc

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Belkin, Inc.

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Geexbox

Notified:  January 11, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Corporation

Notified:  February 01, 2013 Updated:  February 01, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Koukaam

Notified:  January 10, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Logitech

Notified:  January 04, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Motorola, Inc.

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netgear, Inc.

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pantech North America

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  December 04, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SFR

Notified:  January 04, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SMC Networks, Inc.

Notified:  January 04, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sitecom

Notified:  January 04, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TP-Link

Notified:  January 04, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Texas Instruments

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Notified:  December 04, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Visual Tools

Notified:  January 10, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  December 13, 2012 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

orb Networks

Notified:  January 16, 2013 Updated:  January 29, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 6.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to HD Moore of Rapid7 for reporting this vulnerability, and Tod Beardsley for coordination support.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965
Date Public: 2013-01-29
Date First Published: 2013-01-29
Date Last Updated: 2014-07-30 19:13 UTC
Document Revision: 69

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.